| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52F395BB.2030209@6wind.com>
Date: Thu, 06 Feb 2014 15:01:31 +0100
From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
To: François-Xavier Le Bail <fx.lebail@...oo.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: David Stevens <dlstevens@...ibm.com>,
Bill Fink <billfink@...dspring.com>,
Hannes Frederic Sowa <hannes@...essinduktion.org>,
"David S. Miller" <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
James Morris <jmorris@...ei.org>,
Hideaki Yoshifuji <yoshfuji@...ux-ipv6.org>,
Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH net-next v2] ipv6: enable anycast addresses as source
addresses in ICMPv6 error messages
Le 06/02/2014 13:38, François-Xavier Le Bail a écrit :
>> From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>
>
>> Subject: Re: [PATCH net-next v2] ipv6: enable anycast addresses as source addresses in ICMPv6 error messages
>>
>> Le 19/01/2014 17:00, Francois-Xavier Le Bail a écrit :
>>
>>> - Uses ipv6_anycast_destination() in icmp6_send().
>>>
>>> Suggested-by: Bill Fink <billfink@...dspring.com>
>>> Signed-off-by: Francois-Xavier Le Bail <fx.lebail@...oo.com>
>> This patch causes an Oops on my target.
>
> What is your target ?
x86 32bits
>
>> Here is the step to reproduce it:
>> modprobe sit
>> ip link add sit1 type sit remote 10.16.0.121 local 10.16.0.249
>> ip l s sit1 up
>> ip -6 a a dev sit1 2001:1234::123 remote 2001:1234::121
>> ping6 2001:1234::121
>
> I cannot reproduce this in my target (updated net-next x86_64) and
> iproute2 from git.
I use linus tree (3.14-rc1+).
> Can you send me your config file ?
See attachment.
>
>> The problem is that ipv6_anycast_destination() uses unconditionally
>> skb_dst(skb), which is NULL in this case.
>>
>> Not sure what is the best way to fix this, any suggestions?
>
> I will try to reproduce first and see.
Note that the peer was not set up, hence the ping didn't work.
ipip6_err() calls ipip6_err_gen_icmpv6_unreach() which will drop the dst
before calling icmpv6_send().
Here is the backtrace:
[ 387.786155] BUG: unable to handle kernel NULL pointer dereference at 00000096
[ 387.787291] IP: [<c12f1568>] icmp6_send+0x79/0x596
[ 387.788147] *pdpt = 0000000000000000 *pde = f000ff53f000ff53
[ 387.789343] Oops: 0000 [#1] SMP
[ 387.790002] Modules linked in: sit ip_tunnel rfcomm bnep bluetooth ppdev lp
6lowpan_iphc rfkill crc16 cpufreq_userspace cpufreq_conservative cpufreq_stats
cpufreq_powersave xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4
binfmt_misc deflate ctr twofish_generic twofish_i586 twofish_common
camellia_generic serpent_generic blowfish_generic blowfish_common cast5_generic
cast_common des_generic cbc xcbc rmd160 sha512_generic sha256_generic hmac
crypto_null af_key xfrm_algo fuse nfsv3 nfsv4 nfsd auth_rpcgss oid_registry
nfs_acl nfs lockd fscache sunrpc 8021q garp stp llc sctp loop sg sr_mod cdrom
8139too psmouse i2c_piix4 8139cp pcspkr processor parport_pc parport evdev
microcode floppy button mii serio_raw i2c_core thermal_sys ext3 mbcache jbd
sd_mod crc_t10dif crct10dif_common ata_generic ata_piix libata scsi_mod
[ 387.790055] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 3.14.0-rc1+ #67
[ 387.790055] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 387.790055] task: f286b010 ti: f29a6000 task.ti: f2892000
[ 387.790055] EIP: 0060:[<c12f1568>] EFLAGS: 00210246 CPU: 5
[ 387.790055] EIP is at icmp6_send+0x79/0x596
[ 387.790055] EAX: 00000000 EBX: f752a2c0 ECX: f1925800 EDX: 00000000
[ 387.790055] ESI: 000e0001 EDI: 00000000 EBP: f1bfbf96 ESP: f29a7e04
[ 387.790055] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 387.790055] CR0: 8005003b CR2: 00000096 CR3: 01537000 CR4: 000006f0
[ 387.790055] Stack:
[ 387.790055] f1bfbf7e 00000000 f29a7e2c c14a6f40 030116f2 f29a7e1c c12e59b3
f21602c0
[ 387.790055] f747b240 00000001 c14a6f40 f1bfbf96 f29a7e64 c12e4ff6 c12e59b3
00000000
[ 387.790055] 00000000 00000000 00000000 00000000 34120120 00000000 00000000
23010000
[ 387.790055] Call Trace:
[ 387.790055] [<c12e59b3>] ? rt6_multipath_select+0xa7/0xa7
[ 387.790055] [<c12e4ff6>] ? rt6_lookup+0x60/0x89
[ 387.790055] [<c12e59b3>] ? rt6_multipath_select+0xa7/0xa7
[ 387.790055] [<c12f14ef>] ? icmpv6_push_pending_frames+0xc6/0xc6
[ 387.790055] [<c130314e>] ? icmpv6_send+0x17/0x1a
[ 387.790055] [<f850a85d>] ? ipip6_err+0x1bb/0x213 [sit]
[ 387.790055] [<f85ce03b>] ? tunnel64_err+0x16/0x25 [tunnel4]
View attachment "config.oops" of type "text/plain" (102962 bytes)
Powered by blists - more mailing lists